EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USConfigure Centralized Control Policy
Configure Centralized Control Policy
When Centralized Control Policy is configured on vSmart Controller, it affects the routing policy based on information present in OMP routes and TLOC of OMP. A policy is configured to match the routes and TLOC and then take action based on matches like redirecting packets via Network Services (FW, LB).
When we have multiple vSmart Controller, than all controllers must have same Centralized policy for network to remain stable.
This Policy contains a series of ordered number sequence matching –action which are evaluated in order and when a route or TLOC matches its associated actions are executed on that packet. If anything not matched then packet is by default rejected and discarded.
CLI Configuration Procedure:
Create Site List to which this Centralized control policy is to be applied.
vSmart(config)# policy
vSmart(config-policy)# lists site-list list-name
vSmart(config-lists-list-name)# site-id site-id
Create list of IP Prefixes, TLOC and VPN as required.
vSmart(config)# policy lists
vSmart(config-lists)# prefix-list list-name
vSmart(config-lists-list-name)# ip-prefix prefix/length
vSmart(config)# policy lists
vSmart(config-lists)# tloc-list list-name
vSmart(config-lists-list-name)# tloc address color color encap encapsulation [preference value]
vSmart(config)# policy lists
vSmart(config-lists)# vpn-list list-name
vSmart(config-lists-list-name)# vpn vpn-id
Create a control policy instance:
vSmart(config)# policy control-policy policy-name
vSmart(config-control-policy-policy-name)#
Create a series of match–action pair sequences:
vSmart(config-control-policy-policy-name)# sequence number
vSmart(config-sequence-number)#
Define match parameters for routes and for TLOCs:
vSmart(config-sequence-number)# match route route-parameter
vSmart(config-sequence-number)# match tloc tloc-parameter
Define actions to take when a match occurs:
vSmart(config-sequence-number)# action reject
vSmart(config-sequence-number)# action accept export-to (vpn vpn-id | vpn-list listname)
vSmart(config-sequence-number)# action accept set omp-tag number
vSmart(config-sequence-number)# action accept set preference value
vSmart(config-sequence-number)# action accept set service service-name (tloc ip-address| tloc-list list-name) [vpn vpn-id]
vSmart(config-sequence-number)# action accept set tloc ip-address color color [encapencapsulation]
vSmart(config-sequence-number)# action accept set tloc-action action
vSmart(config-sequence-number)# action accept set tloc-list list-name
If no match is found in any of the sequences, it will be rejected, and if for non-matching traffic you want acceptance, you need to configure default action policy.
vSmart(config-policy-name)# default-action accept
Apply the policy to one or more sites in the Viptela overlay network:
vSmart(config)# apply-policy site-list list-name control-policy policy-name (in | out)
If the action you are configuring is a service, configure the required services on the vEdge routers so that the vSmart controller knows how to reach the services:
vEdge(config)# vpn vpn-id service service-name address ip-address
Prefixes:
Prefixes can be used as given below:
- Prefix/length— Exactly match a single prefix–length pair.
- 0.0.0/0—Match any prefix–length pair.
- 0.0.0/0 le length—Match any IP prefix whose length is less than or equal to length. For example, ip prefix 0.0.0.0/0 le 24 matches all IP prefixes with lengths from /1 through /24.
- 0.0.0/0 ge length—Match any IP prefix whose length is greater than or equal to length. For example, ip-prefix 0.0.0.0 ge 27 matches all IP prefixes with lengths from /27 through /32.
- 0.0.0/0 ge length1 le length2, or 0.0.0.0 le length2 ge length1—Match any IP prefix whose length is greater than or equal to length1 and less than or equal to length2. For example, ip-prefix 0.0.0.0/0 ge 20 le 24 matches all /20, /21, /22, /23, and /24 prefixes.
TLOC:
Each TLOC is specified by 3 tuple like its address, color, Encapsulation, in which address is its system address, color is WAN link color and encapsulation is gre or ipsec.
Comment
TABLE OF CONTENTS
- Onboarding & Provisioning Configuring Templates
- Authentication between vSmart & vBond
- Authentication between vSmart Controller
- Authentication between vBond & vEdge Router
- Authentication between vEdge Router & vManage NMS
- Authentication between vSmart Controller & vEdge Router
- Viptela Specific Port Terminology
- Configure vManage & Generate Certificate
- Configure vBond & Generate Certificate
- Configure vSmart & Generate Certificate
- Configure vEdge & Generate Certificate
- Secure DataPlane Bringup
- Control Plane & Data Plane Operation - Unicast Routing Overview
- Configuring OMP & Its attributes
- Configure Unicast Overlay Routing
- Routing Configuration Example
- Segmentation Overview
- Configuring Segmentation
- Segmentation Configuration Example
- Data Traffic across Private WANs
- NAT in SDWAN & Data Encryption
- SD-WAN Viptela Policy Overview
- SD-WAN Centralized & Localized Control Policy Overview
- SD-WAN Centralized & Localized Data Policy
- Application – Aware Routing Overview
- Service Chaining
- Traffic Flow Monitoring
- vEdge Router as NAT Device
- Zone Based Firewalls
- Configuring Application Aware Routing
- Configure Centralized Control Policy
- Configuring Centralized Data Policy
- Configuring Cflowd Traffic Monitoring
- Configuring Zone based Firewall
- Service Chaining Configuration Example
- Configuring Service Side NAT
- Configuring Transport side NAT
RECENT POSTS
- What is Docker and Why is It Important?
- Learn Python 3.0 Programming for Network Automation
- Cisco ACI Data Centre: A Comprehensive Overview
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
LEAVE A COMMENT
Please login here to comment.